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1. INTRODUCTION 

The Internet has developed immensely, facilitating doing business and providing individuals and 
organizations with digital communication. Over the numerous advantages the internet offers, it is constantly 
threatened by many risks that often have serious adverse [1]. New digital threats and cyberattacks are coming 
from new and unexpected sources. Online phishing, social engineering, and malware are just a few examples 
of cyberattacks [2]. These attacks negatively affect both individuals and the countries' economies. According 
to [3], it is estimated that cyberattacks' economic impact will increase by around five trillion dollars per year 
in the next five years. Cyberattacks are getting more sophisticated in the way they misuse and exploit 
technological advancement [4]. This is in part because many users are unaware of the concept of 
cybersecurity and how to protect their information. Users often behave in an insecure manner which makes 
them easy targets for exploitation [5]. According to William stalling in his book [6], security education 
provides users with the necessary skills to perform their duties. Education allows users to know actions that 
could compromise security, identify possible attack vectors, and report to appropriate personnel. The idea of 
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this approach was identified in the early 2000 s [7], [8]. However, instead of proposing new security courses, 
efforts have been devoted to proposing guidelines for adopting cybersecurity concepts in the non-security 
courses to enhance the appropriateness of practice and get better outcomes [9]-[11]. The most notable 
guideline CSEC2017 results from several computing organizations’ joint force (e.g., Association for 
Computing Machinery (ACM), Institute of Electrical and Electronics Engineers (IEEE), and International 
Federation for Information Processing (IFIP)) and was proposed by the cybersecurity community in 2017. 
The guideline defined the cybersecurity discipline and outlined the concepts that include knowledge areas 
and crosscutting concepts to provide the basis for knowledge areas in cybersecurity. Students will be 
empowered with the necessary knowledge to act reasonably in various circumstances and deal with their 
social reality issues [12]. 

In this regard, the work of [8] integrated security concepts into existing computer courses. They 
emphasized this concept's necessity and provided vital suggestions such as security issues that should be 
discussed throughout the primary and non-major courses in the computer science curriculum to raise 
awareness of vulnerabilities, threats, and risks. Other researchers have further analyzed this integration and 
proposed models to provide students with the basic computer security principles without the need for 
professional instructors insecurity [13]. Researchers recently focused on proposing systematic frameworks 
for proper integration [14], [15]. In the paper, Ezenwoye [15], proposed a framework with three phases 
structure based on typical curriculum development cycles (e.g., guideline development, planning, and 
implementation). 

Recently, authors of [16] proposed a conceptual cybersecurity awareness framework to improve the 
cybersecurity awareness of graduates in any academic institution. The awareness level in developing 
countries and for new threats have also been investigated in [17]-[19]. Other researchers have considered 
security in other domains like commercial [20]. Experiments have also been conducted to determine the 
students’ acquired knowledge [21], [22]. In the paper, Siraj et al. [21], experimented with the integration 
across low-level courses using security laboratory modules. Results show a positive impact that is reflected in 
the security knowledge gained by students. In the paper, Whitney et al. [23], the researchers introduced 
security teaching with Python and got positive results regarding knowledge and awareness. Unfortunately, 
the widespread attention to this security integration approach is insufficient, and its adoption is minimal [24], 
[25]. On the other hand, many works have been conducted in the area of educational data mining. Most of 
them are designed to forecast students' performance to predict their future outcomes based on students’ 
historical data [26]-[28]. The grade point average (GPA) was recognized as the most crucial attribute used to 
predict performance in many works. As the first step of our study, a pilot study is conducted on 40 students 
attending the information security course to assess the current level of cybersecurity awareness. The pilot 
study's main objective was to see how much the students are aware of cyber-attacks and what they do to 
protect themselves. The survey results indicated that students do not have much knowledge of Cybersecurity; 
this lack of knowledge reflects when using the Internet while not protecting their data, even on university 
systems. These findings encourage us to carry out our study. Thus, a four-step methodology is proposed to 
leverage the cybersecurity concepts into non-security computer science courses and assess the potential 
effects on students’ cybersecurity knowledge. Firstly, five principles have been selected from the 
cybersecurity Community guideline (CSEC2017) that worked best for the program. The other principles are 
purposefully not included as they are less important and can be integrated with other concepts. Secondly, the 
existing curriculum content is mapped to the selected principles. Thirdly, the gaps in the curriculum are 
identified, where they are filled by infusing new cybersecurity topics. Finally, the gained cybersecurity 
knowledge is measured to determine the effect of this infusion. The selected security principles are listed in 
Table 1 along with the related courses, while the complete list of the integrated topics is mentioned 
in Table 2. Accordingly, the following hypothesis proposed: 

Ha: Infusing cybersecurity principles into non-security courses will improve students’ awareness and 
knowledge of Cybersecurity. 


Table 1. The selected concepts and corresponding courses 


Principles Course 

SE WP DCN DB MP 
Fault tolerance X 
Cryptography algorithms X 
Secure networking protocols X 
Authentication techniques X X 
Hash functions X 


SE=Software Engineering, WP=Web-based Programming, 
DCN=Data Communication and Networks, 
DS=Database Systems, MP=Mobile Programming, X=selected 
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Table 2. The selected courses and their topics 
Order Course name Level Topics 

1 Software Engineering (SE) Year 2/Semester 1 SE1: Security breaches 
SE2: Software vulnerabilities 
SE3: Fault tolerance techniques 

2 Web-Based Programming (WP) Year 2/Semester 2 WP1: Cryptography 
WP2: Email and Web Security Protocols 
WP3: Secure Sockets Layer (SSL) Protocol 

3 Data Communication and Networks (DCN) Year 3/Semester! | DCNI: Protecting Computing Devices 
DCN2: Firewall Types 
DCN3: Two Factor and Mutual Authentication 
Techniques 

4 Database Systems (DB) Year 3/Semester 2 DB1: Creating and Managing Passwords 
DB2: SQL injection Attack 
DB3: Hash Functions 

5 Mobile Programming (MP) Year 4/Semester 1 MP1: Mobile Breaches 
MP2: Implementing Security Defenses 


To conduct the experiment, a sample of 42 IT students have been selected with no prior knowledge 
in cybersecurity. The sample is then divided into two identical groups, 21 students in the experimental group 
(E) and 21 students in the control group (C). The students in the experimental group agreed to take the five 
selected courses. In each course, all students in both groups were asked to undergo pre-evaluation evaluation 
tests before enrolling on the selected course. In contrast, the experimental group is also administrated to 
another post-evaluation after the end of that course. Expert instructors have set the questions of both tests in 
the field of Cybersecurity, and both tests have a different sample of questions. 

To statistically test the hypotheses Ha, two comparisons are performed: within the experimental 
group and across different groups. Concerning the experimental group, the first comparison was conducted to 
examine the significant difference between the pre-test and post-test scores of the experimental group alone 
and the control group alone using paired t-test. The second comparison was conducted to examine the 
significant difference between pre-test and post-test of both experimental and control groups, using the two- 
sample t-test. The purpose of both tests is to ensure that the experimental group students are acquired the 
required cybersecurity knowledge. Results revealed significant differences between marks of pre-evaluation 
and post-evaluation tests for most infused topics. Moreover, results show that the postmarks are in general 
higher than pre marks for the experimental group. The results also demonstrate that infusing important 
cybersecurity topics within other computer science courses can increase students’ awareness and knowledge 
regarding cybersecurity concepts. The remainder of this paper is organized as follows. Section 2 presents the 
research methodology and the experimental work, along with the evaluation measures. The results are 
discussed then in section 3. Finally, section 4 presents the conclusion and directions for future research. 


2. RESEARCH METHOD 

The research methodology of our study is divided into three phases. In the first phase, a pilot study 
is designed based on data collected from 40 students to examine their awareness of cybersecurity concepts. 
The survey's feedback enables us to determine security awareness levels that university students already 
have. Applicable principles were set and integrated into five non-security courses in the second phase, 
following a four-step methodology. Firstly, five appropriate principles have been selected based on the 
CSEC2017 guideline: fault tolerance, cryptography algorithms, secure networking protocols, authentication 
techniques, and hash functions. Secondly, a set of courses from the existing curriculum is mapped to the 
selected principles. Thirdly, the curriculum gaps are identified and filled. Finally, a set of topics is proposed 
to these gaps. 

In the third phase, 42 students have been carefully selected, such that they have no prior knowledge 
of Cybersecurity, nor they have taken any one of the five courses. The students were divided into two 
identical groups (experimental and control groups). The students in the experimental group agreed to take the 
five selected courses in consecutive order. In contrast, the other students in the control group were selected 
from the registered students in that course. All students were asked to undergo two tests: i) a pre-evaluation 
test (pre enrolling on the selected course) and ii) a post-test (after the end of that course) on the cybersecurity 
topics that they have learned within the selected courses. In both tests, the questions were selected carefully 
by expert instructors in cybersecurity, and both tests have a different sample of questions. A paired t-test 
statistical test is then performed to examine the significant difference between students' marks in the 
experimental group for the pre-evaluation and post-evaluation. In addition to using the two-sample t-test to 
examine the difference between experimental and control groups concerning pre and post-tests. 
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3. RESULTS AND DISCUSSION 
3.1. Results of pilot study 

The general knowledge about cybersecurity and cyber-attacks, password, authentication, email 
security, firewalls, and mobile security are investigated. The results of the study are summarized in Table 3. 
Regarding the first question about the general knowledge of cybersecurity and security attacks, it was found 
that only 10% are strongly knowledgeable. The other questions’ results have confirmed the responses to this 
self-evaluation. Considering this result for IT specialists' respondents, this lack of knowledge is likely higher 
in the general population. The second question asked about creating strong passwords. Surprisingly, more 
than 40% of the respondents used the same password for other services, and another 20% preferred to create 
an easy password. This might be a bad indicator of password creating knowledge. Similarly, the 
authentication techniques knowledge is not much better, as seen in question 3. Most of the participants do not 
know what two-factor authentication is. regarding the website trust in question 4, the same issue is revealed 
for respondents who consider the email server responsible for scanning the email links, which is not the case 
in practice. This awareness level is also reflected in question 5, where around 65% of the participants will 
download and install a program suggested by another site. 


Table 3. Results of pilot study 


Question Response # % 
1. Ona scale of one to five (five being the most No idea 3 7.50% 
confident), rank your knowledge about cybersecurity Hear about 10 = 25.00% 
and attacks? Some knowledge 16 40.00% 
Good knowledge 7 17.50% 
Strong knowledge 4 10.00% 
Total 40 100.00% 
2. Do you use a strong password to access your social Re-use the same password used in other services 16 40.00% 
or finical accounts? Create a password that is as easy as possible to remember 8 20.00% 
Create a very complex password and store it in a manager 10 25.00% 
service 
Create a new password that is similar to another service 4 10.00% 
Create an entirely new strong password 2 5.00% 
Total 40 100.00% 
3. Do you know what Two-Factor Authentication Yes 7 17.50% 
(2FA) is, and do you use it? No 33 82.50% 
Total 40 100.00% 
4. What would you do if you received an email with Do not click the link 14 35.00% 
links to other sites? Click the links because the email server has already 21 52.50% 
scanned the email 
Hover the mouse on links to verify the destination URL 5 12.50% 
before clicking 
Total 40 100.00% 
5. What would you do when a pop-up window is Download, and install the program 26 65.00% 
displayed states that you should download and installa Inspect the pop-up windows to verify their validity 8 20.00% 
diagnostics program to protect your computer? Ignore the message and close the website 6 15.00% 
Total 40 100.00% 
6. What action do you take if you need to connect to Connect and switch off the firewall 28 70.00% 
the Internet via an open Wi-Fi hotspot, but it asks you Do not connect to it and keep your firewall 8 20.00% 
to switch off the firewall? Connect to it and establish a VPN to a trusted server 4 10.00% 
Total 40 100.00% 
7. Have you ever rejected a mobile app request for Yes 24 60.00% 
accessing your contacts, camera, or location? No 16 40.00% 
Total 40 100.00% 


Another parameter that still illustrates low awareness of cybersecurity is shown when 70% of 
respondents are willing to switch off their firewalls for a free Wi-Fi hotspot given in question 6. It is also 
important to underline that the awareness about denying a mobile app request personal data positively 
impacts participants’ responses. 60% of the participants will reject a mobile app request accessing their 
contacts, camera, or locations for the last question. 

The survey results indicated that students do not have much knowledge of Cybersecurity; they need 
to be motivated to security precautions and be exceptionally the risks of online services. Also, it appears that 
educational institutions do not have an active approach to improving awareness among students. It is worth 
mentioning here that our pilot results are compatible with recent studies. One can consider the study in [29], 
which analyzed cybersecurity awareness among education sector members in the Middle East region. The 
results reveal that the participants do not have the requisite knowledge and understanding of the importance 
of security principles and their practical application in day-to-day work. 
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3.2. Results of pre-evaluation and post-evaluation tests 
3.2.1. Statistical tests between pre and post exams for experimental group 

In these tests, one noticed that the students’ overall average marks in the post-evaluation test are 
higher than the pre-evaluation test with significant t-test results for two topics (SE1 and SE2), as shown in 
Table 4. It can also notice that pre-evaluation marks' standard deviation is close to that of post-evaluation 
marks in most courses. The Cohen's d measure indicates that the effect size for topics (SEI and SE2) is 
greater than 0.5, which means a significant difference between pre and postmarks, less than 0.5 for SE1. 


Table 1. Results of software engineering course, using paired t-test 


ID Cybersecurity Topic Before After t-test Effect size (Cohen's d) Win tie lose 
SE1 SB 46.7+411.4 66.4+12.8 t=-9.0, p-value<0.001* 1.63 19 0 2 
SE2 SV 48.3418.1 72.7+13.7  t=-8.5, p-value<0.001* 1.53 17 0 4 
SE3 MTS 61.0+15.6 _65.7+13.4 _ t=-1.8, p-value=0.08 0.32 12 1 8 


*Significant at 95%. SB=security breaches, SV=software vulnerabilities, MTS=malware types and symptoms 


The same findings can be seen for the web programming course, as shown in Table 5. Surprisingly, 
the web programming course's average marks are less than that of the software engineering course. The 
paired t-test between the two evaluations shows significant differences between the two marks for all topics. 
The Cohen's d effect size confirms the obtained statistical differences with an effect size greater than 0.5. 
Also, the number of wins is significantly greater than the number of losses, which revealed that the number 
of students who improved their marks is larger than those who failed to improve. 


Table 5. Results of web programming course, using paired t-test 


ID Cybersecurity Topic Before After t-test Effect size (Cohen's d) win tie lose 
WPI CRP 41.1414.5  52.5+49.4 — t=-5.2394, p-value<0.001* 0.95 14 0 7 
WP2 EWS 44.8411.9 57.6+15.9 t=-5.0848, p-value<0.001* 0.92 15 0 6 
WP3 SSL 30.4+15.3 46.5+13.7 _ t=-6.1875, p-value<0.001* 1.11 15 1 5 


*Significant at 95%. CRP=cryptography, EWS=email and web security, SSL=secure sockets layer (SSL) 


The results in Table 6 demonstrate that adopting three cybersecurity topics would partially enhance 
student awareness regarding the Data communication and networking course. However, only two topics 
(DCN2 and DCN3) show significant improvements, as confirmed by the t-test. Surprisingly, the average of 
pre and postmarks for DCN] are similar with insignificant differences between them. In contrast, the overall 
average of post-evaluation marks is higher than the average of pre-evaluation marks for DCN1 and DCN2. 
Thus, satisfactory improvements in student knowledge in the DCN course are generally shown, but this 
improvement did not show the expected level. 


Table 6. Results of data communication and networking course, using paired t-test 


ID Cybersecurity Topic Before After t-test Effect size (Cohen's d) win tie lose 
DCN1 PCD 54.1415.1  54.8+17.5 — t=-0.24, p-value=0.814 0.04 11 0 10 
DCN2 FT 50.0419.1 57.3+13.6  t=-2.40, p-value=0.019* 0.44 13 0 8 
DCN3 TFMA 42.4+16.0 48.6+18.3  t=-2.01, p-value=0.047* 0.36 12 1 8 


*Significant at 95%. PCD = protecting computing devices, FT = firewall types, TFMA = two factors, and mutual authentication 


The results of significance tests for the database course are a little bit different than previous 
courses. Three cybersecurity topics were adopted, as mentioned in Table 7. The average of marks for post- 
test is larger in general than the pre-evaluation test, suggesting good improvements in students' awareness. 
The paired t-test results demonstrate a significant difference between pre-evaluation and post-evaluation 
marks for three cybersecurity topics: Creating and managing passwords and hash functions. 


Table 7. Results of database systems course, using paired t-test 


ID Cybersecurity Topic Before After t-test Effect size (Cohen's d) win tie lose 
DBI CMP 60.7411.9 66.3412.6  t=-2.6, p-value=0.01* 0.46 13 1 7 
DB2 SIA 49.8+16.4 64.8+8.80 t=-6.4, p-value<0.001* 1.19 16 0 5 
DB3 HF 38.6415.4 45.4+10.1 t=-2.9, p-value=0.004* 0.54 14 0 7 


* Significant at 95%. CMP: creating and managing passwords, SIA: SQL injection attack, HF: hash functions 
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This result suggests that the student awareness significantly improved while taking these topics 
within the database course. However, the effect size revealed a strong justification to judge that the difference 
between two evaluation marks is significant for only two topics (DB2 and DB3) with Cohen's d over 0.5. 
Concerning the mobile programming course, Table 8 shows significant differences between pre-evaluation 
and post-evaluation tests for only MP2 topics, confirming that adopting these cybersecurity topics in a 
programming course would enhance student awareness about threats that can affect the mobile application. In 
contrast, a significant difference for MP1 was not found. Both findings are confirmed by Cohen's d effect 
size, which is less than 0.5 for MP1 and greater than 0.5 for MP2. It can also notice that the average marks of 
pre-evaluation tests for both engaged cybersecurity topics are quite acceptable, demonstrating that the student 
in this course is familiar with this kind of threat. Also, significant improvements in their marks after adopting 
MPI were not noticed, which is confirmed by the number of wins and losses for MP1 that is so close. 


Table 8. Results of mobile programming course, using paired t-test 


ID Cybersecurity Topic Before After t-test Effect size (Cohen's d) win tie lose 
MPI MB 67.1411.2  70.2415.4 — t=-1.3, p-value=0.20 0.23 12 0 9 
MP2 ISD 53.5+412.7 _73.7+13.4 _ _t=-8.6, p-value<0.001* 1.54 19 0 2 


*Significant at 95%. MB=mobile breaches, ISD=implementing security defenses 


3.2.2. Statistical test between experimental and control groups 

The pre and post-test marks for both control and experimental groups for each course are infused 
cybersecurity topics in these tests were compared. The average of marks for each cybersecurity topic is 
converted to a scale from 0 to 100. Table 9 shows the statistical analysis using the Two-sample t-test between 
the experimental and control group for software engineering course. Results show no significant difference 
between the experimental and control groups in the pre-test of all software engineering topics. This confirms 
that students’ knowledge in both groups is relatively similar with no significant difference. In contrast, we 
noticed positive significance for the post-test between the experimental and control group with a large effect 
size. These findings are consistent with our basic assumptions that presume that the student's marks in the 
experimental and control group must be relatively similar to the pre-test because they have no prior 
knowledge and are significantly different in terms of post-tests. 


Table 9. Comparison between experimental and control group for software engineering course, using two- 
sample t-test 


Test Type ID Cybersecurity topic Experimental group Control group t-test Effect size (cohen's d) 
Pre-Test SE1 SB 46.7+11.4 51.6+12.3 t=-1.44, p-value=0.19 0.41 

SE2 SV 48.3+18.1 46.7+11.8 t=0.34, p-value=0.74 0.10 

SE3 MTS 61.0+15.6 57.7414.6 t=0.71, p-value= 0.48 0.21 
Post-Test SE1 SB 66.4+12.8 52.4+12.9 t=3.53, p-value=0.001* 1.09 

SE2 SV 72.7+13.7 48.3+10.2 t=6.54, p-value<0.001* 2.02 

SE3 MTS 65.7+13.4 55.54152 t=2.31, p-value=0.02* 0.71 


*Significant at 95%. SB=security breaches, SV=software vulnerabilities, MTS=malware types and symptom 


Table 10 shows the results for the web programming course. Here, a significant difference between 
both groups regarding the pre-test for the secure sockets layer (SSL) topic is shown. However, no difference 
was shown for the remaining topics between the two groups. In terms of post-test, no significant difference 
was shown between the two groups for the cryptography topic. This is due to the difficulty of this topic as it 
depends on complex math theory. However, a significant difference was shown for the remaining topics (e.g., 
email and web security and secure sockets layer). 


Table 10. Comparison between experimental and control group for web programming course, using two- 
sample t-test 


Test Type ID Cybersecurity topic Experimental group Control group t-test Effect size (cohen's d) 
Pre-Test WPI CRP 41.1414.5 46.3+11.2 t=-1.30, p-value=0.20 0.40 
WP2 EWS 44.8+11.9 43.6+10.5 t=0.347, p-value=0.73 0.11 
WP3 SSL 30.4415.3 40.7+16.7 t=-2.08, p-value=0.044* 0.64 
Post-Test WP1 CRP 52.5+9.4 48.6+11.7 t=1.2, p-value=0.24 0.41 
WP2 EWS 57.6+15.9 47.3+12.3 t=2.35, p-value=0.025* 0.72 
WP3 SSL 46.5+13.7 38.2+10.1 t=2.23, p-value=0.032* 0.69 


* Significant at 95%. CRP=cryptography, EW=email and web security, SS=secure sockets layer (SSL) 
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Table 11 shows the results for the data communication and networking course. For the pre-test 
marks, no significant difference was shown between both groups for all topics. However, a significant 
difference was shown in the post-test marks for two topics (e.g., protecting computing devices and firewall 
types). On the other hand, students did not perform well in the two factor and mutual authentication topic. 


Table 11. Comparison between experimental and control group for data communication and networking 
course, using two-sample t-test 


Test Type ID Cybersecurity topic __ Experimental group _ Control group t-test Effect size (cohen's d) 
Pre-Test DCN1 PCD 54.1415.1 52.3412.4 t=0.42, p-value=0.68 0.13 
DCN2 FT 50.0+19.1 51.7416.3 t=-0.31, p-value=0.76 0.10 
DCN3 TFMA 42.4+16.0 46.1+13.4 t=-0.81, p-value=0.42 0.25 
Post-Test DCN1 PCD 54.8417.5 45.0+12.2 t=2.11, p-value=0.04* 0.65 
DCN2 FT 57.3+13.6 46.9+12.1 t=2.62, p-value=0.01* 0.81 
DCN3 TEMA 48.6+18.3 41.1+13.4 t=1.52, p-value=0.13 0.47 


* Significant at 95%. PCD=protecting computing devices, FT=firewall types, TFMA=two factor, and mutual authentication 


Table 12 shows the results for the database systems course. The gained results of this course are 
similar to the previous course (e.g., data communication and networking). Specifically, results show no 
significant difference between both groups regarding the pre-test for all topics. In addition, a significant 
difference was shown between the two groups for all topics in terms of post-test. This is due to the popularity 
of these topics, as most students used the topics’ techniques daily (e.g., creating and managing passwords, 
SQL injection attack, and hash functions). 


Table 12. Comparison between experimental and control group for database systems course, using two- 
sample t-test 


Test Type ID Cybersecurity topic Experimental group Control group t-test Effect size (cohen's d) 

DBI CMP 60.7+11.9 64.9+13.3 t=-1.1, p-value=0.29 0.33 
Pre-Test DB2 SIA 49.8+16.4 51.4411.8 t=-0.36, p-value=0.72 0.11 

DB3 HF 38.6+15.4 42.6+12.1 t=-0.94, p-value=0.36 0.29 

DBI CMP 66.3+12.6 57.1412.4 t=2.38, p-value=0.02* 0.74 
Post-Test DB2 SIA 64.8+8.80 52.3+14.6 t=3.36, p-value=0.002* 1.04 

DB3 HF 45.4+10.1 38.7+9.5 t=2.21, p-value=0.03* 0.68 


* Significant at 95%. CMP=creating and managing passwords, SIA=SQL injection attack, HF =hash functions 


Table 13 shows the results for the mobile programming course. Due to the topic novelty, most of the 
topics did not significantly differ between the experimental and control groups. For instance, the mobile 
breaches and implementing security defenses topics have no significant difference between groups in pre-test 
marks. The same case for implementing security defenses post-test marks were noticed, where no significant 
difference was noticed between groups. However, a significant difference was shown for the Mobile 
Breaches topics, where students gain knowledge after Infusing this principle. 


Table 13. Comparison between experimental and control group for mobile programming course, using two- 
sample t-test 


Test Type ID Cybersecurity topic Experimental group Control group t-test Effect size (cohen's d) 
Pre-Test MP1 MB 67.1411.2 64.3412.4 t=0.77, p-value=0.44 0.24 

MP2 ISD 53.5412.7 56.7411.9 t=-0.84, p-value=0.40 0.26 

MP1 MB 70.2+15.4 61.5+10.3 t=2.15, p-value=0.04* 0.66 
Post-Test Mp2 ISD 73.7+13.4 59.9+12.1  t=3.5, p-value=0.001 1.08 


* Significant at 95%. MB=mobile breaches, ISD=implementing security defenses 


Indeed, from the above statistical test results, a conclusion can be drawn that, in general, the 
students have a quite low level of cybersecurity awareness, as confirmed in the averages and standard 
deviations of pre-evaluation marks. But these marks are significantly improved in almost all topics except for 
three topics, namely, SE3, DCN1, MP1. To test this hypothesis, the average marks for all pre marks of all 
topics (Say before) and average postmarks for all topics (say after) for the experimental group only were 
computed. 
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The paired t-test results (t=-17.3, p-value<0.001) between the before and after groups confirmed 
Has hypothesis and revealed a significant difference between students' average marks in all topics. 
Furthermore, average marks for all postmarks of all topics for the experimental group (E) and average 
postmarks for the control group (C) are computed. Then two-sample t-test results (t=2.16, p-value=0.031) 
between them were applied. The obtained results confirmed H,'s hypothesis and revealed a significant 
difference between students' average marks. Figure 1 summarizes these findings. 


@ Avg. Mark Before Avg. Mark After 


50 
40 
30 
20 
10 

0 


SE1 SE2 SE3 WP1 WP2 WP3 DCN1DCN2DCN3 DB1 DB2 DB3 MP1 MP2 
Topic 


Average of Marks 


Figure 1. Courses results before and after the infusion 


4. CONCLUSION 

This paper proposes a detailed approach for examining the effect of infusing cybersecurity 
principles in the IT curriculum's non-security courses on students’ awareness and Cybersecurity knowledge. 
However, before determining that, our study is started with a pilot study conducted on 40 IT students to see 
how much students are aware of 7 principles related to Cybersecurity and what they do to protect themselves 
from cyber-attacks. The obtained results indicated that students do not have much knowledge of 
Cybersecurity and need to be aware of security precautions and online services risks. Also, results revealed 
that educational institutions do not actively approach cybersecurity awareness among students. Based on this 
finding, the study relied on the remarkable guideline (CSEC2017) and distilled the main security principles 
that the curriculum must include. Accordingly, these principles are mapped to the relevant curriculum 
courses and proposed a set of topics that will reflect the selected principles. 

To determine the effects of infusing principles, the degree of improvements in the acquired 
knowledge for 42 students through pre and post-evaluation tests were assessed. The students were divided 
into two identical groups (experimental and control groups). All students were asked to undergo two tests, a 
pre-evaluation test (pre enrolling on the selected course) and a post-test (after the end of that course) on the 
cybersecurity topics. A paired t-test statistical test is then performed to examine the significant difference 
between experimental group students' marks in the pre-evaluation and post-evaluation. 

In addition, the two-sample t-test is used to examine the difference between experimental and 
control groups for pre and post-tests. We noticed that the students often have a quite low level of 
cybersecurity awareness, as confirmed in the averages and standard deviations of pre-evaluation marks. 
Moreover, results show that the postmarks are in general higher than pre marks. The results demonstrate 
that engaging important cybersecurity topics within other computer science courses can increase students’ 
awareness and knowledge regarding cybersecurity concepts. It is highly encouraged that education 
institutes integrate some important cybersecurity topics within existing courses based on the obtained 
results. 
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